The overall computer security strategy of a computer network is only as strong as its weakest link, and unsecured PCs connected to mainframes represent an extremely weak link. For instance, authorized PC users can legitimately download large amounts of mainframe information. This data, which had been protected by the mainframe's access control facilities, is then easily accessed by anyone who can turn on the PC. Unauthorized users can copy sensitive data, modify data that will be uploaded to the mainframe, or destroy valuable information. Even worse, some users utilize "macro key generators" to automate host logons. Thus anyone who can access the PC can access the mainframe.
Most professionals keep sensitive, confidential, or critical documents (such as personnel files, financial information, marketing and sales information, and confidential memos) securely locked up in file cabinets. Yet many of these same professionals have not put access controls onto their PCs that contain equally valuable and sensitive information. A major reason is that prior art PC security products tend to be obtrusive, complicating implementation and daily use, and often degrade system performance. Such controls are quickly discarded as being impractical.
A major accounting firm recently reported that over 50% of American managers have suffered computer-related losses including data destruction, confidentiality breaches, and misuse of information. Unauthorized employee access was cited as the leading cause. After all, unprotected PC files can be accessed by even novice PC users. Disgruntled employees, cleaning crews, etc. can copy, modify, or destroy sensitive, valuable, and often irreplaceable data.
As PCs have proliferated through business, so has the importance of the information they manage, and the risk of information misuse and loss. As more company-critical applications and data are used on PCs, the issues of security go beyond the personal inconvenience of having data lost, destroyed, or stolen. The loss of any data, including word processing documents, spreadsheets, databases, etc., can be traumatic, and the mishap is not to be taken lightly. In company critical applications, the loss of even several hours could mean the loss of thousands of dollars, due to lost business opportunities, a lost order, or customer goodwill, in addition to problems created by the inability to process important monthly or payroll type applications.
Large companies with MIS departments are very security conscious, with formal security procedures, plus software and data safeguards. The data on the PC can be just as critical to the individual or company, as the data contained on a mainframe. The fact that it is stored on a PC doesn't make the data less valuable of the need for security any less.
What is the value of your PC data? As the PC has become much more than an expensive calculator, many people and businesses view the PC and PC based data to be critical to the functioning of their business. When you take into consideration the hours, days, or weeks spent in creating and modifying PC based data in most cases the value of the data stored on the PC is many times greater than the value of the hardware. Although the risks of misuse of data and of PC virus attack are small, they are growing. It is good business practice to protect your data, if the cost is reasonable, if it is not difficult, or time consuming. This is no different than protecting old style "files" in locked fire proof cabinets. The technology is different, but the issues are the same.
By restricting access via passwords, this vulnerability is reduced. Many approaches to this problem have been implemented in software. Unfortunately, this type of implementation can often be defeated by simply inserting a DOS boot disk into drive A. To be effective, the solution to this problem requires a hardware component which restricts any access to the machine without a valid password. Because such hardware solutions intercept control before the disk operating system starts, this form of protection cannot be defeated by booting from a floppy disk. Unfortunately, such prior art hardware based protection schemes requires specialized hardware which will serve as the hardware access key, as well as often times requiring specialized hardware within the computer itself to interrogate the hardware key.
Conventional access control packages for small computers utilize passwords only. Any person gaining knowledge of the password can access the system. Alternative access control mechanisms provided by other packages require special hardware and/or special key devices. Other implementations create diskettes that are not unique from system to system, or from creation to creation.
The conventional approach to security functions is to integrate them into the application which uses them. This increases the size of the application. Furthermore, no standard mechanism exists for a group of applications to alter the security configuration of the system. Many access control systems provide an unlimited number of illegal attempts.
Although password access control exists on a host system, which is administered by the host, no mechanism currently exists for a host system to remotely control access to a personal computer.
There are a number of other prior art approaches to PC security. They span the gamut from biometric thumb scan access, to special sealed Tempest shielded PCs to prevent electronic snooping, to DES encryption of all files with specific access passwords on a file or directory level. While such severe measures are certainly warranted in the use and handling of highly sensitive or classified data, this level of security is not generally required or needed in the business environment.
Another threat to the data and programs stored on a PC is attack from a computer virus. These small programs can attach themselves to a normal program or data file, which may be inadvertently copied from system to system. Once a virus program has been copied to a PC, it can cause serious damage to program and data files that reside on the system. Without some form of protection, the PC user may not realize that the system has been infected until after damage has been done.
There are a number of prior art approaches to virus protection. They include never using a disk from anyone, never downloading data from a bulletin board service (BBS) or via a modem, not connecting to a network, checking each program or file with a virus finder, only running new programs on a floppy or on a quarantine machine until determined safe, having a special program slow down the processing of the PC while it watches every activity to determine if is normal or a virus. While these measures can add additional levels of protection, practicality in a business environment must be considered.
Some prior art approaches to virus protection check hard disk system ares and files after the disk operating system has booted. Any damage caused by corrupted system files and data may already be done. If a virus has already attached itself to one of the operating system files, once this file has been loaded (during boot), the virus is in control.
Other approaches to virus protection require booting the system from a known floppy disk and checking the hard disk before allowing the use of files stored on the hard disk.
As other approaches to virus protection are resident on disk, they themselves can be corrupted.
Even if you have protected your system from unauthorized access and viruses, once your PC is turned on and validly accessed, it is again vulnerable. Most people turn their PCs on in the morning and leave them on all day. Lunch, an out of the office appointment, long meetings, or Just going down the hall are all opportunities for unauthorized access to data. A quick erase or a quick copy to a diskette may leave no signs of activity. However, it is impractical to exit your program, save your data, and turn your PC off every time you leave your desk for a few moments.
A PC screen can also inadvertently expose sensitive data such as payroll, financial, or personnel records to anyone. Information left on the screen while at lunch or a meeting, or obtainable through just a few keystrokes, is all that may be required to steal or destroy a file. In today's aggressive business environment, a company's competitive edge is relative to its customer files and information, or proprietary information such as product development, marketing and sales plans, and product price and costs lists.
Accordingly, it remains highly desirable to provide the ability to detect the presence of viruses in a manner which will allow the operation of the computer to be halted, for example by failing to complete the boot operation, on a regular basis. Furthermore, computer security remains of vital importance.